Antwort: Re: Antwort: BIND and AD integration

[holger.honert at signal-iduna.de]

Hi all,
well as I promised earlier, here are the sections:
...

there are two special groups in an ad-domain the enterpris-admins and the 
schema-admins. these two groups are very important regarding security 
issues. enterprise-admins do have the most power
on ad-design and they are only able to add or delete domains to the entire 
structure. members of the schema-admins can expand the ad-schema. the 
ad-schema exist only once in a domain and is 
the base for all defined objects and their classes and attributes. today 
is it not possible to delete defintions but to disable them. due to this 
facts it is recommended to secure the schema and the above mentioned 
admins.
another signficant feature is that the doamin-admins of the ad-root-domain 
can make themselves member of both groups, so that this security relevant 
issue spans the whole ad-domain.
to save and secure this ad-root-domain, it is important to isolate it to a 
so called dedicated ad-root-domain. the dedicated ad-root-domain features 
only standard-users and computer-accounts and no 
further accounts. in principal she can be implemented in a tree- or 
forest-structure whereas it is preferred to implement here in a 
forest-structure where you have no limitations regarding e.g. name 
assignment.

...

another advantage beneath the security ist the flexibility which you will 
get when integrating new companies to the entire structure. you could do 
this without changing the entire structure as well as the name 
of company which is important regarding corporate identity and of course 
political issues ;-)

...

please forgive me, if there are too many mistakes or grammatically errors

Kind Regards/Freundlichen Gruß
 
Holger Honert
 
KOMN-97851
 
SIGNAL IDUNA Gruppe
Joseph-Scherer-Str. 3
 
44139 Dortmund
 
Phone: +49 231/135-4043
FAX: +49 231/135-2959
 
mailto: holger.honert at signal-iduna.de